CN105830414B - Use the network insertion of the safety of voucher - Google Patents
Use the network insertion of the safety of voucher Download PDFInfo
- Publication number
- CN105830414B CN105830414B CN201480064804.6A CN201480064804A CN105830414B CN 105830414 B CN105830414 B CN 105830414B CN 201480064804 A CN201480064804 A CN 201480064804A CN 105830414 B CN105830414 B CN 105830414B
- Authority
- CN
- China
- Prior art keywords
- mobile subscriber
- subscriber equipment
- network
- voucher
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003780 insertion Methods 0.000 title description 2
- 230000037431 insertion Effects 0.000 title description 2
- 238000013475 authorization Methods 0.000 claims abstract description 51
- 238000000034 method Methods 0.000 claims abstract description 41
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000006855 networking Effects 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 7
- 230000000694 effects Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 3
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 239000011248 coating agent Substances 0.000 description 2
- 238000000576 coating method Methods 0.000 description 2
- 229920000547 conjugated polymer Polymers 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 229910044991 metal oxide Inorganic materials 0.000 description 2
- 150000004706 metal oxides Chemical class 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- OCKGFTQIICXDQW-ZEQRLZLVSA-N 5-[(1r)-1-hydroxy-2-[4-[(2r)-2-hydroxy-2-(4-methyl-1-oxo-3h-2-benzofuran-5-yl)ethyl]piperazin-1-yl]ethyl]-4-methyl-3h-2-benzofuran-1-one Chemical compound C1=C2C(=O)OCC2=C(C)C([C@@H](O)CN2CCN(CC2)C[C@H](O)C2=CC=C3C(=O)OCC3=C2C)=C1 OCKGFTQIICXDQW-ZEQRLZLVSA-N 0.000 description 1
- 208000033748 Device issues Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 235000013361 beverage Nutrition 0.000 description 1
- 239000011230 binding agent Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011982 device technology Methods 0.000 description 1
- 230000005669 field effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 210000005036 nerve Anatomy 0.000 description 1
- 229920000642 polymer Polymers 0.000 description 1
- 230000008929 regeneration Effects 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 229910052710 silicon Inorganic materials 0.000 description 1
- 239000010703 silicon Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Example embodiment includes the system and method for establishing safe wireless communication, the request of the network is accessed including receiving via access point (AP) from mobile subscriber equipment (UE), the netpage registration option of third party's voucher is sent to UE, receive the instruction using third party's voucher, the UE is redirected to corresponding third party website login page and including identifier, it receives and authorizes from the UE via AP, the authorization has been sent to the UE from third party website after effective third party's voucher is provided to third party website, generate Proxy Credential, authorization is tied to Proxy Credential in the database, Proxy Credential is sent to mobile subscriber equipment via access point and authorizes the UE to establish secure attachment via the accessing control server and AP.
Description
Related Cases
The application is related to the U.S. Provisional Patent Application US61/885,445 that on October 1st, 2014 submits and advocates that its is excellent
First weigh.
Technical field
This application involves the fields of secure wireless communication.
Background technique
Current wireless system does not allow to connect using establishing safe wireless from the voucher in third party source with method.
Summary of the invention
The present invention is provided to use third party's voucher to provide the mthods, systems and devices that encryption is wirelessly connected.
Certain example embodiments herein include the system and method for establishing secure wireless communication, including are used for
The system for establishing secure wireless communication, including with access point communication document-based supply (provisioning) server, database,
Accessing control server and network, document-based supply server are configured to receive via described access point from mobile subscriber equipment and access
Netpage registration (sign-in) option of third party's voucher is sent to mobile use via described access point by the request of the network
Family equipment receives the instruction using third party's voucher, via described from the mobile subscriber equipment via described access point
The mobile subscriber equipment is redirected to corresponding third party website and logs in (login) page by network, and including identifier,
It receives and authorizes from the mobile subscriber equipment via access point, effective third party's voucher is being provided to third party by the authorization
Mobile subscriber equipment is sent to from third party website after website, generates Proxy Credential, in the database by authorization
It is tied to Proxy Credential, Proxy Credential is sent to mobile subscriber equipment via access point and via the accessing control server
Secure attachment is established with access point authorization mobile subscriber equipment.
In certain example embodiments, the document-based supply server be further configured to via the network request from
The license of the third party website access user information and updating location information third party's net with the mobile subscriber equipment
The license stood.
In some embodiments, the document-based supply server is further configured to via the network from the shifting
The user information is requested from the third party website after dynamic user equipment reception authorization and is received simultaneously in response to the request
Save the user information from the third party website.
Further, in some embodiments, the document-based supply server is further configured to via the network
The location information of the mobile subscriber equipment is sent to third party website.Also, in some embodiments, access control clothes
Business device is configured to connect via described access point from mobile subscriber equipment after mobile subscriber equipment previously accesses the network
Proxy Credential is received, the Proxy Credential has been sent to mobile subscriber in advance after being successfully logged onto third party website and set
It is standby, via described access point from mobile subscriber equipment verifying Proxy Credential, binding access token (token) and it is received agency with
Card, via the network will access voucher be sent to third party website verified, if access token effectively if via described
Network receives the access token updated and authorization mobile subscriber equipment from social networking website and establishes safety via access point
Connection.
In certain example embodiments, the Proxy Credential is username and password voucher, client certificate
(client-certificate) voucher and/or dynamic wildcard.In some embodiments, third party's voucher is social
Network credentials and third party website are social networking websites.In some embodiments, the identifier is application ID (App-
ID).Also, in some embodiments, the authorization is authentication code.
In some embodiments, the document-based supply server is further configured to that movement will be come from via the network
The authorization exchange of user equipment is sent to accessing control server at the access token from third party website, and by access token
To be tied to Proxy Credential corresponding with mobile subscriber equipment in the database.
Also, OAuthv2 (RFC-6749) agreement in some embodiments, can be used to receive authorization and award described
Power is exchanged into access token.
Example embodiment further includes the system and method for establishing secure wireless communication, including via with document-based supply
Server, access point, database and the accessing control server of network communication are received via access point from mobile subscriber equipment
Proxy Credential, the Proxy Credential are sent from document-based supply server in advance after being successfully logged onto third party website
To mobile subscriber equipment, via described access point from mobile subscriber equipment verifying Proxy Credential, fetch and be tied to received agency
If the access token of voucher sends access token to via the network that third party website is verified, access token has
Effect then receives the access token updated and authorization mobile subscriber equipment via access from social networking website via the network
Point establishes secure attachment.
In some example embodiments, it is received via access point from mobile subscriber equipment in response to document-based supply server
Authorization, the authorization have been sent to shifting from third party website after effective third party's voucher is provided to third party website
Dynamic user equipment, by the authorization exchange from mobile subscriber equipment at the access token from third party website, and supplied by voucher
Server is answered to generate the Proxy Credential.
In some embodiments, accessing control server access token and received Proxy Credential are bound together,
Via the network by access token be sent to third party website through row verifying and if the access token effectively if via
The network receives the access token updated from social networking website.
According to following detailed description, in conjunction with attached drawing, other features and advantages of the present invention be will be apparent, the attached drawing
The various features of embodiments of the present invention are illustrated by way of example.
Detailed description of the invention
The embodiment described in this application in order to better understand, will be to following specific implementation in conjunction with following drawings
Mode is referred to, and identical reference marker refers to corresponding part in the attached drawing of front and back in the accompanying drawings.
Fig. 1 is block diagram, is shown and the creative consistent exemplary architecture figure of aspect described herein.
Fig. 2A is messaging figure, is shown and the creative consistent exemplary message flow of aspect described herein.
Fig. 2 B is another messaging figure, is shown and the creative consistent exemplary message flow of aspect described herein.
Fig. 3 is another messaging figure, is shown consistent after initial connection with creative aspect described herein
Exemplary message flow.
Fig. 4 is and the creative consistent example flow diagram of aspect described herein.
Specific embodiment
Embodiment will be referred in detail now, the example of embodiment is illustrated in attached drawing.Following specific
In description, elaborate many places detail in order to provide fully understanding to theme presented herein.But it will be general to this field
Lead to it is obvious to the skilled person that the theme can be practiced without these specific details.In addition, herein
The particular implementation of description provides by way of example and should not be taken to limit the scope of the invention to these spies
Determine embodiment.In other instances, known data structure, timing protocols, software operation, program and portion are not described in
Part, to avoid unnecessarily making the various aspects of embodiments of the present invention smudgy.
It summarizes
Certain embodiments as disclosed herein, which is provided, is built for mobile device or user equipment (UE) using certain type voucher
The system and method for founding the unsecured air link connection to 802.11 access points (AP).In some embodiments, it is such with
Card can be the user's third party website voucher previously established.The example of third party website voucher can be social media or social activity
Network (SN) voucher.
Current UE is very universal and it is used to by conducting wire and wirelessly access network such as internet.If do not added
Close, then being wirelessly connected will suffer from trying to find out, eavesdrop and malicious attack.Also, although in some cases (for example, using HTTPS's
Internet bank business is based on SSL/TLS) it can establish safe end-to-end network tunnel, however, such network tunnel
Still such that the airlink between UE and AP is unblocked, without encipherment protection.Therefore, without using the end-to-end net of safety
The flow in network tunnel is tried to find out.Use the association established between wireless service provider and the operator for the website that voucher is provided
Fixed, can permit consumer allows their UE to log on to and establishes encrypted with AP using pre-existing website voucher
Airlink.
It should be noted that the UE being discussed herein can be any amount of device for being configured to wireless communication, such as but not
It is limited to smart phone, laptop computer, net sheet, ultrabook, tablet computer, handheld computer etc..These can be used certain
Network AP is connected to internet by way of wireless connection.
Lead to additionally, it should be noted that certain standards such as IEEE 802.11 can be used for the radio between UE and AP
Letter.These AP for providing linking Internet can have " hot spot " function, including standard is advanced to referred to as hot spot 2.0 (HS2.0)
Hot spot and Wi-Fi connection.2.0 technology of hot spot is developed by Wi-Fi Alliance and is allowed automatic to the UE of hot spot and safe
Connection.While not limited to HS2.0, however the disclosure is placed in context by example disclosed herein using HS2.0 example.
Therefore, while not limited to HS2.0, however embodiments disclosed herein can be used HS2.0 technology and be utilized.
Example of security
Current UE be used to access network such as internet, access the network via wireless connection in some cases.
When being wirelessly connected using Wi-Fi technology, UE safety and user when safe using WPA2 enterprise-level (WPA2-Enterprise)
Safety is enhanced.WPA2 business-class security includes three kinds of technologies: 802.1X (Network access control based on port),
802.11i (encryption of 802.11 airlinks) and EAP authentication;When WPA2 business-class security is applied successfully, between UE and AP
Airlink is encrypted.This encryption provides Confidentiality protection, integrity protection, replay protecting (replay
Protection the protection) and from so-called " go-between (man-in-the-middle) " attacked.
A part of WPA2 business-class security is to be mutually authenticated, and wherein UE certification such as authentication, authorization, accounting (AAA) takes
The identity of the accessing control server of business device etc, so that it is guaranteed that it is connected to expected Wi-Fi network and the network is recognized
Demonstrate,prove the identity of UE.Such accessing control server disposes the request for accessing Internet resources and can be via such as RADIUS
The service of agreement offer such as authentication, authorization, accounting etc.It can be used and standardized by Internet Engineering Task group (IETF)
One of EAP (Extensible Authentication Protocol is shown in RFC-3748) method implement to be mutually authenticated, such as EAP- Tunneled Transport
Safety (EAP-TTLS) (see RFC-5281).When successful EAP exchange finishes, aaa server distributes master session key to AP
(MSK) and UE locally calculates the MSK of their own, and in success, the MSK has value identical with the MSK for being distributed to AP.
Then, the MSK is used to generate pair temporal key (PTK) together with 802.11i cryptographic protocol, for encrypting UE and AP
Between unicast transmission and be used for transmission Group Temporal Key (GTK), for encrypting broadcast and multicast transmission from AP to UE.
Independently of Wi-Fi technology, IETF developed using authenticate and generally used in WWW its
His agreement.Two examples are hypertext transfer protocol secure (HTTPS), are the HTTP by Transport Layer Security (TLS);See use
RFC-2616 in the HTTP and RFC-5246 for TLS and HTTP abstract (see RFC-2617).In HTTPS, TLS layers can
To be configured to for client anonymity, it is meant that client uses the X.509 certificate verification server of server but server
Not Authentication Client.It is provided by the usemame/password for encoding client by uniform resource locator (URL) to server,
Client certificate can be executed after the tunnel TLS has been successfully established, be transmitted by HTTP, in the tunnel TLS of encryption
Portion.HTTPS and HTTP abstract is all supported to be mutually authenticated.But there is no a kind of offer or generation can be in these technologies
802.11i is used together the MSK so that Wi-Fi airlink safety.
Many websites have big customer data base, and the customer data base is used to be awarded usemame/password
Voucher and can by utilize these vouchers for other purposes for example for wireless network access benefit.
The example that usemame/password voucher has been presented to the website of a large number of users includes but is not limited to only to lift several
Example, such as Facebook, Google, Google+, MySpace, LinkedIn, TripIt, Twitter, Yammer and
Yahoo!Deng the website SN.The user of the website SN may wish to access using its voucher for Wi-Fi network and/or current with it
Its SN homepage (that is, " register (check-in) ") of location updating.The website SN may wish to support voucher these used as will
Its advertisement, which extends to, provides the means of the place owner of public Wi-Fi network access.There is also issued usemame/password with
Other websites of card may wish to using the usemame/password voucher to carry out Wi-Fi network access, for example, retail with
Hotel's affiliate web site.
In some embodiments, user authentication is once successfully completed, then aaa server can be in the social matchmaker of user
Publication updates and/or retrieves the information about user on body homepage.It should be noted that in some embodiments, when user authorizes
The place owner for providing public Wi-Fi network access uses its social networking website voucher, then they also authorize social networks
Website API, which is provided, is regarded as sharable certain personal information by user.For example, the UE that aaa server can update user is logged in
Place name and position, such as the particular coffee shop in 123 main stems.Also, aaa server can be examined from example SN website API
The buddy list of rope user, the food of its favorite and other personal information.Then aaa server can transmit the information
To location based service engine, the customer that the service-Engine can provide certain type that the place is promoted is promoted.It is this
Information provides to a certain degree for may be valuable for wireless service provider because it can permit hot spot operator
Personalized service to user.For example, the place may provide the user with the discount coupon of the beverage of its favorite or also permit
To provide free drinks when user brings it next time in the good friend in list.
Also, there are users to be desirable for a variety of causes that pre-existing SN account credentials carry out logging in network why.
The user may wish to where its social networks good friend knows them.They can have found that their SN voucher obtains them
It is useful for obtaining the Wi-Fi in potential many places and accessing to access internet.In addition, by combining SN account to wireless clothes
The login of business provider, it is understood that there may be qualified popularization for a user, as explained above.
Support the authentication techniques for being referred to as OAuth 2.0 (see IETF RFC-6749) in many websites SN.Reality described herein
Apply mode include can be using the 2.0 version 2 online registration of 2.0 authorized agreement of OAuth and hot spot ((in-venue), point in place
The document-based supply of upper (on-the-spot)) system and method, to be able to use with being generated in public wireless access network
The mode of the MSK of WPA2 enterprise-level provides wireless network access.In this way, these system and method are provided to the new of Wi-Fi Hotspot
Equipment networks (on-boarding), allows consumer or " equipment (BYOD) for carrying oneself " to network.
Exemplary flow
In sample situation, user (consumer) is stepped into equipped with for providing Wi-Fi (Wireless Internet Access) for its consumer
The hotspot location of AP.In some embodiments, example A P is configured to using WPA2 business-class security.It is desirably connected to internet
User be required to log on to wireless service provider account, must using run these wireless aps individual wireless service mention
It is established for quotient company.In this illustration, initially, the connection manager of UE is not had and can be used to be recognized using hot spot
The voucher of card.Each user is desirably allowed to select individual wireless service provider to be used to log in establish using them
Voucher (for example, username and password).The logging on authentication can be passed through logging on to by that particular wireless service provider
It is used when any AP of battalion.
However, the user can have the usemame/password voucher for the website example SN.In addition, the website SN
OAuthv2 is supported in this example.Also, the AP in local hot spot is configured to using 2.0 version 2 of hot spot comprising online note
Volume ability.Embodiments described herein is described for making server to use pre-existing SN voucher for user authentication, connect
Generate MSK to facilitate according to the airlink of WPA2 enterprise-level agreement encryption mode using OAuthv2 together with hot spot 2.0
The system and method for online registration agreement.It should be noted that OAuthv2 does not generate MSK.Above mentioned server is to implement hot spot
The server (or server farm or function distribution are among multiple servers) of function.
In some embodiments, user is by logging on to the website SN and wireless service provider being authorized to use their SN
Identity establishes its identity.Once being authorized in this wise, online registration (OSU) server is created that " Proxy Credential ", then
It is tied to the SN identity of user.The use of term OSU server is not meant to be limiting.It can be used herein any amount of
Server, including but not limited to document-based supply server.OSU server provides document-based supply function as described herein with regard to enough
?.
It shall also be noted that those of ordinary skill in the art will understand that, concepts described herein can be equally applied another
In the situation that one voucher is used to create Proxy Credential to facilitate the encryption to airlink.
2.0 online registration agreement of hot spot is used to set up and supplies so-called " Proxy Credential " to mobile device.Agency with
Card can be username and password voucher or X.509 client certificate voucher.Although being known as " Proxy Credential " in the present invention,
It is that its usemame/password that can be used together with WPA2 enterprise-level or client certificate voucher have no difference.As such, in EAP
After certification, UE and AP generate or obtain respectively MSK, transfer to be used to encrypt the communication on airlink.In the OSU of hot spot
After server supplies Proxy Credential to UE, Proxy Credential is also supplied to (hot spot operator) of wireless service provider
Aaa server for using in the future.Later, UE can be used using the Proxy Credential of 2.0 agreement of hot spot with automatic and pacify
Logged on to entirely by the hot spot of wireless service provider operation.
Therefore, when consumer returns to hot spot (in initial position or another location), UE being capable of automatic and automatically root
According to 2.0 agreement of hot spot using Proxy Credential to log on to hot spot.When the aaa server of hot spot receives the certification request of UE,
It is checked with the website SN is still come into force with the authorization using his/her SN voucher for confirming user, if it is, then authenticating UE
And it is authorized to be used for Wi-Fi access.
General introduction in example indicates
Fig. 1 is gone in detail now, and how which depict users can be logged on to wirelessly using existing voucher via UE 110
Service provider and to establish the example embodiment of unsecured air link.In this illustration, there are two same for hot spot tool
The WLAN of Shi Yunying --- the safe WPA2 enterprise-level WLAN and opening WLAN for being used for online registration.In addition, hot spot operator
It is made in advance with the website SN and arranges to provide Wi-Fi access with the voucher for the user for using SN.When being made that this arrangement, heat
Point operator obtains " App-ID " from the website SN, can identify the hot spot operator.In some embodiments, App-ID
Identification hot spot operator can uniquely be arrived.As will be described, App-ID can be used in the OSU server and SN net of hot spot
In certain message exchanges between standing.It should be noted that, it is not intended that the use of term App-ID is limited, because it is various
It can be any amount of identifier in embodiment.
Add firstly, UE 110 comes in the range of access point (AP) 115 and determines that it does not have using 2.0 agreement of hot spot
Enter the appropriate security credence of hot spot.In this way, alternatively, UE is associated with to the opening SSID for online registration.In a step 101,
UE receives OSU webpage 127 via portal (portal) 126 and is presented to user via UE 110.OSU webpage can be presented
It allows user to log in and uses the various selections of wireless service provider service, one of which selection can be via the user's
Pre-existing SN voucher 127, such as its username and password.
Then, in the example, in step 102, if user clicks on using their pre-existing SN vouchers
In selection, then UE browser is redirected to the suitable website SN by portal.Before UE browser is redirected to the website SN, door
The identifier of App-ID or wireless service provider is added to Redirect URL by family 126, and the website SN is caused to show nothing to user
Line service provider or other customer informations are in this illustration the SN webpage of accessing user and/or the " Green of information
Wi-Fi's " (exemplary service provider) request.User is provided with the SN username and password that it had previously been established and logs on to
The ability of the website SN.
If user provides voucher appropriate, the website SN sends authentication code (Authentication Code) to UE.It answers
Work as attention, it is not intended that limit the use of term " authentication code ".Any of various authorizations can be used;Authorization code refers to
Show that the authorization from the website SN is sufficient.User can also give authorization to allow wireless service provider, in this example
In be " Green Wi-Fi's " identity manager and AAA (herein together be IDM) 123, with access come from various levels of spy
Determine certain user's information of the website SN or executes certain behaviors.For example, certain levels can permit the system access to use by oneself
Personal information of the SN account at family, such as demographic information, friend information, the history for position of visiting etc..Certain examples can be with
Allow the account of the system access user and the SN webpage issued and write user that " will register ".Then, continue example embodiment party
The step 103 of formula, UE 110 then can use authentication code or the authorization provided by the website SN and be redirected to door by the website SN 132
Family 126.
Then, in certain example embodiments, at step 104, OSU server will request directly via IDM 123
SN Website server 130 is sent to so that authentication code is exchanged into access token.Some websites SN are by the life span of authentication code
(lifetime) short time interval, such as two hours are restricted to.Therefore, wireless service provider has up to two hours to incite somebody to action
Authentication code is exchanged into access token.In some cases, access token is kept effectively in persistently longer period, such as 60
It.Once access token is expired, then wireless service provider needs to obtain new authentication code and access token to continue to access
The voucher of the SN user.Wireless service provider uses access token in the following manner.
Once OSU server 120 has access token, it is created that the binding of Proxy Credential and will binds, access order
Board and Proxy Credential are stored in its local user database, and the database is communicated with IDM 123 in this illustration.It connects
, in step 105, provisioning server (PS) 125 generates Proxy Credential, and the Proxy Credential is sent to UE 110, with (
In this example) it is supplied using the method for 2.0 version 2 of hot spot.
In the example embodiment without using access token, OSU server or Proxy Credential server can be in data
Binding agent voucher and authorization in library.
Once being supplied, UE can switch to the encrypted WLAN (WLAN) of AP.In order to switch (in initial bit
Set or return to same position or at the another location that Proxy Credential can be used after the user), UE is automatically and automatically
According to 2.0 agreement of hot spot using Proxy Credential to log on to hot spot.When the aaa server of hot spot receives the certification request of UE,
It sends the website SN for access token to determine that the authorization using his/her SN voucher of user is still effective.If access
Token is received by the website SN, then the authorization of user is still effective;If it is, the Proxy Credential of aaa server certification UE, and
And if it succeeds, authorization mobile device is accessed for Wi-Fi.If access token is not received by the website SN, user's
It authorizes expired or is revoked, therefore aaa server refuses the Proxy Credential certification request of UE and do not authorize mobile device
It is accessed for Wi-Fi.
It will be apparent to those skilled in the art that Proxy Credential can be alternatively dynamic, wildcard.When Wi-Fi safety
It can be by servicing when being configured to using WPA people's grade or WPA2 people's grade (it establishes cryptographic key using wildcard)
Device issues dynamic, wildcard.
Detailed example message sequence when UE is not by pre-authentication
In order to help to illustrate certain embodiments herein, detailed message sequence is provided in example 2A and 2B
Figure.
Fig. 2A depicts example message sequence, details exemplary sequence used in method disclosed herein and system and step
Suddenly.Fig. 2 B, which is depicted, to be had been used for logging in and binding the example hotspot after having occurred and that as described above in SN voucher
2.0 step.SN example is reused, but SN is not to be read as being limited and is only schematical.
In terms of Fig. 2A includes UE 210, AP 212 and is shown as example being contained in certain networkings in OSU 220.These
Data plane block including being referred to as D blade (D-blade) 222 is taken by OSU and integrated data base administration and AAA
The data forwarding engine for the forwarding data packet of device (IDM) 233 of being engaged in, database are herein distributed data base 224, such as run
The server of Cassandra, provisioning server (PS) 225, using 2.0 method of hot spot to UE supply security voucher, Yi Jimen
User is served as via the interface of UE browser in family 226.Security credence can be usemame/password or X.509v3 client is demonstrate,proved
Book.Certificate CA 228 is also shown, can be used to create X.509v3 client certificate as needed.The website SN 230 is also shown.
It should be noted that in the above example, D blade has been used, because it serves as access list (ACL) actuator, with
Only the relevant coating of OSU/SN routes to OSU module and SN Website login for permission.Different example embodiments can will in this way
Ability be deployed on AP rather than on D blade.
Note that the exemplary step in paragraph is illustrated to such step below --- the step is in SN net
It stands with place operator using 2.0 message sequence of hot spot when the creation safe Wi-Fi session of WPA2 enterprise-level together with OAuth 2
(RFC-5746) step in message.
The messaging exchange example in Fig. 2A is gone to, UE210, which has not had, wherein be used to log on to wirelessly
The voucher of service provider's hot spot, but really there is SN to log in voucher, UE 210 transmits message to AP 212 250.
In the step, UE determines its WPA2 enterprise-level SSID that cannot be added at hot spot using 2.0 method of hot spot, the reason is that it is not
It determines with effective security credence and therefore to register to access for Wi-Fi.
Then, UE 210 and AP 212 exchanges message 252 when UE 210 is associated with the registration SSID on AP 212.
Then, when UE 210 is connect via the foundation of D blade 222 with the Transport Layer Security (TLS) of PS 225, message is carried out
Exchange 254.It should be noted that in some embodiments, not needing D blade 222 here.
Then, message 256 is sent from UE 210 to verify the server certificate of PS or OSU clothes with root CA (Root CA) 240
Business device certificate is not revoked.This program makes OSU certificate via D blade 222 using online certificate status protocol (OCSP)
It comes into force.It should be noted that D blade is not necessary here in some embodiments.
Then, message 258 is sent, by UE 210 via the sppPostDevData request (letter of D blade 222 to PS 225
Single object access protocol SOAP-XML).It should be noted that D blade 222 is not necessary here in some embodiments.
SppPostDevData request is 2.0 requesting method of hot spot for initiating document-based supply (for example, online registration).
Then, SOAP-XML message 260 is sent, UE 210 is returned to from PS 225, starts to the order of the browser of URL,
The URL is the URL of portal 226.
Then UE 210 exchanges message 262 with the portal 226 for portal registration page using HTTPS via D blade 222.
It should be noted that D blade 222 is not necessary that (D blade is used as access control lists here in some embodiments
(ACL) actuator, with permission, only the relevant coating of OSU/SN routes to OSU module and SN Website login.If these access limits
System is not needed or is executed by some other network components, then does not use D blade).Once door is presented in the mobile device of user
Family registration web page, 210 user of UE " can use the hot spot of SN voucher access Green Wi-Fi ".
Message is then by exchange 264, and to be redirected to SN 230, wherein portal 226 adds identifier via D blade 222
Or App-DI, redirection _ URI (redirect_URI (returning to portal)).It should be noted that message 264 in some embodiments
It can not need to be sent via D blade 222.
Then UE 210 exchanges message 266 with the website SN 230, to exchange SN login dialogue via D blade 222 and confirm PS
Client permits (as described above).It should be noted that message 266 can not needed via 222 quilt of D blade in some embodiments
It sends.
Then, the website SN 230 can transmit message to redirect 268UE 210 using authentication code or authorization.
Then UE 210 will confirm that message 270 is sent to portal 226 using authentication code or authorization via D blade 222.It should
Note that message 270 can not need to be sent via D blade 222 in some embodiments.
Registration request is sent IDM 272 by portal 226.
IDM exchanges message 274 with the website SN, thus as previously described, by authentication code and from the access token of SN
Exchange.Token is stored in database 224 by IDM.This allows at following one day when user returns and attempts that hot spot is added
IDM searches access token.
Access token and IDM223 can will be for the confirmation of the request that uses the user credential of SN or failure notifications 278
Response is sent to portal 226.
Final 280, portal 226 sends final " HTTP redirection 302 " to UE 210.If using SN user with
Request failure (notice provided in message 228) of the card for Wi-Fi access, then portal 226 notifies UE in this step
310.This accomplishes the parts SN authorized in this example.
Then it describes specifically X.509v3 client certificate and then to bind SN to the UE of user supply Proxy Credential
The step of Proxy Credential (new X.509v3 client certificate voucher) that voucher and the system are issued.
Then, in this illustration, as shown in Figure 2 B, the exchange of hot spot 2.0 is carried out to complete online registration process.UE 210
It sends SOAP-XML and indicates information 282, the instruction of information 282 user has completed will be all for the website SN necessary
Information is supplied to PS 225.This can be the signal of PS to initiate certificate credential registration (enrollment).Registration is by hot spot
2.0 names for being used to issue client certificate to mobile device used.
Then, using message 284, certificate regeneration request (SOAP-XML) message is sent UE 210 by PS 225.
Then UE 210 exchanges the message 286 based on HTTPS via D blade 222 and executes certificate registration to PS225
(EST is shown in, passes through the registration of safe transmission, IEFT RFC-7030).It should be noted that exchange message in some embodiments
289, D blade 222 is not needed here.Then, PS 225 exchanges message with CA 228 to generate client certificate, is supplied
To UE.
After UE 210 successfully installs certificate, UE issues the signal of successfully instruction 290 to PS 225.
PS 225 exchanges message 292 to obtain hot spot 2.0 according to provider's subscription management object from IDM 223
(PerProviderSubscription Management Object, PPS MO).PPS MO includes the connection management for UE
Device is arranged, for the identification information (for example, Green Wi-Fi) of service provider and other metadata related with voucher.
Then PS 225 sends message 294 so that PPS MO is supplied to UE 210.
Then UE 210 sends PS 225, (SOAP- for the message 296 that PPS MO is successfully installed via D blade 222
XML).It should be noted that message 296 can not need to be sent via D blade 222 in some embodiments.
PS 225 sends the message 298 that succeeds in registration to UE 210, (SOAP-XML).
Also, UE 210 sends message 299 to PS 225 via D blade 222, discharges TLS (SOAP-XML) with instruction.This
Then allow encrypted communication between AP and UE, because certificate appropriate and/or MSK are supplied to UE.It should be noted that at certain
Message 299 can not need to be sent via D blade 222 in a little embodiments.
Message after pre-authentication transmits example
Example in Fig. 2A and 2B illustrated above is that previously there is no examples when being connected using SN voucher in UE.Figure
3 depict that wherein user 310 has visited hot spot and client certificate is supplied to user via the access token of generation
310 example, the client certificate are tied to its SN voucher by OSU server.
In the example, Fig. 3, example UE 310 come in the range of AP 312 and it is desirable that are associated with AP 312, described
Message 350 is sent UE 310 by AP.It is general that 802.11u GAS/ANQP or another can be used in the connection manager of the UE
Advertising service/access network inquiry agreement, to determine if that there is the roaming partner from Wi-Fi network or Wi-Fi heat
Any one voucher of point operator itself.
Then, the message 352 that AP sends that it can authenticate the voucher from wireless service provider arrives UE, such as via root
According to the place " Green-Wi-Fi " of exemplified earlier.
Then, UE 310 exchanges message 354 with AP 312 to be associated with AP 312.
UE 310 exchanges message 356 with AP 312, and AP 312 transfers to exchange via D blade server 322 with IDM 323 to disappear
Breath 358, to initiate the EAP-TLS authenticated exchange with the aaa server 323 of wireless service provider.In this step, AAA
Server starts to authenticate the Proxy Credential of UE (it is X.509v3 client certificate).Note that EAP-TLS is when UE has
X.509v3 the method used when client certificate.It should be noted that message 358 can not needed via D in some embodiments
Blade 222 is sent.
Then, when the aaa server in IDM 323 receives client certificate, database 324 is sent a message to,
The database 324 transfers to send back to the message 362 about the website the example SN access token for being used for the user.
Then, the message 364 with access token is sent example social network website 330API by IDM 323.Then
The website SN sends the message 336 with the access token updated.
If be updated successfully, user is not revoked using the license of the website example SN voucher and EAP authentication should be after
It is continuous.
Then, message exchange 368 is carried out between the aaa server in IDM 323 and AP 312 via D blade 322, is closed
In EAP success and via the access acceptance (success) of RADIUS.It should be noted that message 368 can not in some embodiments
It needs to be sent via D blade 222.
Then, AP 312 and UE 310 exchange is shaken hands the message 370 of (4WHS) about 802.11 4 roads, to establish the peace of layer 2
Fully associative (WPA2 business-class security).Note: if access token updates failure, user authentication should fail and UE should
Release certification from Wi-Fi network (in this case, RADIUS access-reject message is sent to AP).
Allow the encrypted communication between AP and UE after this.
Example is summarized
Fig. 4 shows the flow chart summarized using the example of certain embodiments described herein.Firstly, 410 vouchers supply
Server is answered to receive the request of access network from mobile subscriber equipment first.Later 420, document-based supply server is to mobile subscriber
The netpage registration option of equipment transmission third party's voucher.Then 430 document-based supply servers are received from mobile subscriber equipment and are used
The instruction of third party's voucher.Then mobile subscriber equipment is redirected to correspondence via network by 440 document-based supply servers
Third party website log-on webpage and including identifier.Then 450 document-based supply servers are recognized from mobile subscriber equipment reception
Demonstrate,prove code or authorization, the receptions authentication code or authorize after effective third party's voucher to be provided to third party website from
Third party website is sent to mobile subscriber equipment.Then 460 document-based supply servers generate Proxy Credential and in the database will
Authorization is tied to Proxy Credential.Then 470 document-based supply servers send mobile subscriber for Proxy Credential via access point and set
It is standby.Last 480 document-based supply server authorization mobile subscriber equipment establishes secure attachment.
Example embodiment with single shell
It should be noted that in the accompanying drawings, certain features and parts parts are shown as being grouped as a unit, online registration clothes
Be engaged in device (OSU) 120.But this is only exemplary and schematical.For example, OSU 120 is shown as including portal in Fig. 1
126, IDM 123 or aaa server, provisioning server (PS) 125.And in Fig. 2, OSU 220 is shown as including D blade
222, IDM 223, database 224, PS 225, portal 226 and certificate 228.Database 224 can be any distributed data
Library, such as Cassandra database, in order to provide the duplication of OSU node is spread, to facilitate the extensive of network operator's deployment can
Scalability.But any or all these components do not need individually to be received into a component, OSU 120 and 220 etc..
Instead, the component part can be grouped in any way.But in these example embodiments of this paper, certain components
Part is grouped into a product casing, OSU 120,220,320.
Conclusion
It should be noted that term " hot spot " only uses in an exemplary fashion.Creative aspect disclosed herein can with permitted
Mostly different types of wireless communication interface is used together with standard.Through herein, Wi-Fi standard is to use by way of example
's.
As disclosed herein, feature consistent with the present invention can be come real via computer hardware, software and/or firmware
It applies.For example, system and method disclosed herein can be embodied in a variety of manners, for example data processor, such as also
Including database, Fundamental Digital Circuit, firmware, software, computer network, server or at the computer of their combination.Separately
Outside, although some in disclosed implementation describe specific hardware component, the consistent system of innovation with this paper
It can implement by any combination of hardware, software and/or firmware with method.In addition, spy indicated above in innovating herein
Other aspects of seeking peace and principle can be implemented in various environment.Such environment and related application can technically be constructed with
It executes various routines, process and/or operation according to the present invention and particularly constructs or they may include general purpose computer
Or computing platform, selectively by code activation or reconfigure to provide necessary function.Process described herein is not solid
Have it is related to any certain computer, network, framework, environment or other devices, and can be with hardware, software and/or solid
The appropriate combination of part is implemented.For example, various general-purpose machinerys can instruct the program write to be used together with according to the present invention
Or it can construct dedicated unit or system more easily to execute the methods and techniques of needs.
The various aspects of method disclosed herein and system such as logic may be embodied as being programmed into a variety of different circuits
It is any in function, which includes programmable logic device (" PLD "), such as field programmable gate array
(" FPGA "), programmable logic array (" PAL ") device, electrically programmable logic and memory device and standard based on unit
(cell) device and specific integrated circuit.It may include for implementing some other of various aspects: memory device, tool
There are microcontroller, embedded microprocessor, firmware, the software etc. of memory (for example, EEPROM).In addition, various aspects can be with
Specific implementation in the microprocessor, the microprocessor have software-based circuit simulation, discrete logic (timing and combination),
Customize the mixing of device, fuzzy (nerve) logic, quantum device and any of the above-described type of device.Bottom device technology can be with each
The different type of device of kind provides, such as metal oxide semiconductor field effect tube (" MOSFET ") technology, such as complementary metal
Oxide semiconductor (" CMOS "), bipolar technology, for example emitter coupled logic (ECL) (" ECL "), polymer technology are (for example, silicon is total
Conjugated polymer and metal-conjugated polymer metal structure), hybrid analog-digital simulation and number etc..
It shall also be noted that various logic disclosed herein and/or function with regard to its behavior, register transfer, logical block and/
Or hardware, firmware can be used and/or be embodied in various machine readable or computer-readable medium in terms of other characteristics
Data and/or instruction and enable.In wherein such format data and/or instruct the computer that can be typically embodied as can
Read medium include but is not limited to take various forms (for example, light, magnetic or semiconductor storage medium) non-volatile memory medium with
And wireless, optics or wired signaling media can be used by or combinations thereof and transmit such format data and/or
The carrier wave of instruction.It include but is not limited to pass through internet by such format data of carrier-wave transmission and/or the example of instruction
And/or the transmission of other computer networks via one or more Data Transport Protocols (for example, HTTP, FTP, SMTP etc.)
(upload, downloading, Email etc.).
Unless the context clearly require that being not in this way, words " wraps otherwise in the whole instruction and claim
Include ", "comprising" etc. should be read as inclusiveness meaning rather than exclusive or exhaustive meaning;That is, in " packet
Include but be not limited to " in the sense that it is interpreted.Plural number and odd number are also respectively included using the words of singular or plural.In addition, words
" this paper ", " hereafter ", " more than ", " following " and similar importing words refer to the application as a whole rather than the application
Any specific part.But when words "or" is used for the list with reference to two or more projects, the words covers the words
Following all explanations: in list project any one, in project and list all in list project any combination.
Although the preferred implementation of certain presentations of the invention has had been described in detail herein, for this field
It is obvious to the skilled person that without departing from the spirit and scope of the present invention can be to illustrated and described herein
Various implementations make change and modification.Therefore, it is intended that the present invention is only limited to model required by the use rule of law
It encloses.
Foregoing description for illustration purposes is described by reference to specific embodiment.However, signal above
Property discussion is not intended to exhaustive or limits the invention to disclosed precise forms.In view of introduction above, many modifications
It is possible with variation.The embodiment is chosen and described most preferably to illustrate the principle of the present invention and its practical application,
So that others skilled in the art can be most preferably using the present invention and with suitable for each of desired specific application
The various embodiments of kind modification.
Claims (27)
1. a kind of system for establishing safe wireless communication, comprising:
With access point, database, accessing control server and the document-based supply of network communication server, the document-based supply service
Device has processor and memory, and the document-based supply server is configured to:
The request for accessing the network is received from mobile subscriber equipment via described access point;
The netpage registration option of third party's voucher is sent to the mobile subscriber equipment via described access point;
The instruction for using third party's voucher is received from the mobile subscriber equipment via described access point;
The mobile subscriber equipment is redirected to corresponding third party website login page via the network, and including identification
Symbol;
It receives and authorizes from the mobile subscriber equipment via described access point, the authorization is provided by effective third party's voucher
The mobile subscriber equipment has been sent to from the third party website after to the third party website;
Generate Proxy Credential;
The authorization is tied to the Proxy Credential in the database;
The mobile subscriber equipment is sent by the Proxy Credential via described access point;
Secure attachment is established via mobile subscriber equipment described in the accessing control server and described access point authorization;
The authorization exchange from mobile subscriber equipment is enabled at the access from the third party website via the network
Board;And
The access token is sent to the accessing control server to be tied in the database and the mobile subscriber
The corresponding Proxy Credential of equipment;
Wherein, the accessing control server is configured to:
After the mobile subscriber equipment accesses the network in advance,
The Proxy Credential is received from the mobile subscriber equipment via described access point, the Proxy Credential is being successfully logged onto
The mobile subscriber equipment has been previously transmitted to after the third party website;
The Proxy Credential from the mobile subscriber equipment is verified via described access point;
Retrieval is tied to the access token of received Proxy Credential;
The third party website is sent by the access token via the network to verify;
If the access token effectively if via the network from social networking website receive update access token;And
Secure attachment is established via mobile subscriber equipment described in described access point authorization.
2. system according to claim 1, wherein the document-based supply server is configured to:
Via the network, request,
From the license of the third party website access user information;And
The license of third party website described in updating location information using the mobile subscriber equipment.
3. system according to claim 2, wherein the document-based supply server is configured to:
After receiving the authorization from the mobile subscriber equipment, the use is requested from the third party website via the network
Family information;And
The user information from the third party website is received and saved in response to the request.
4. system according to claim 2, wherein the document-based supply server is configured to:
The third party website is sent by the location information of the mobile subscriber equipment via the network.
5. system according to claim 1, wherein the Proxy Credential is username and password voucher.
6. system according to claim 1, wherein the Proxy Credential is client certificate voucher.
7. system according to claim 1, wherein the Proxy Credential is dynamic wildcard.
8. system according to claim 1, wherein third party's voucher is social networks voucher and the third party
Website is social networking website.
9. system according to claim 1, wherein the identifier is App-ID.
10. system according to claim 1, wherein the authorization is authentication code.
11. system according to claim 1, wherein
Reception authorizes and is via OAuthv2 (RFC-6749) agreement at access token by the authorization exchange.
12. a kind of method for establishing safe wireless communication, comprising:
Via with access point, database, accessing control server and the document-based supply of network communication server,
The request for accessing the network is received from mobile subscriber equipment via described access point;
The netpage registration option of third party's voucher is sent to the mobile subscriber equipment via described access point;
The instruction for using third party's voucher is received from the mobile subscriber equipment via described access point;
The mobile subscriber equipment is redirected to corresponding third party website login page via the network, and including App-
ID;
It receives and authorizes from the mobile subscriber equipment via described access point, the authorization is provided by effective third party's voucher
The mobile subscriber equipment has been sent to from the third party website after to the third party website;
Generate Proxy Credential;
The authorization is tied to the Proxy Credential in the database;
The mobile subscriber equipment is sent by the Proxy Credential via described access point;
Secure attachment is established via mobile subscriber equipment described in the accessing control server and described access point authorization;
Via the network by the authorization exchange from the mobile subscriber equipment at connecing from the third party website
Enter token;And
The access token is sent to the accessing control server to be tied in the database and the mobile subscriber
The corresponding Proxy Credential of equipment;
Via the accessing control server:
After the mobile subscriber equipment accesses the network in advance,
The Proxy Credential is received from the mobile subscriber equipment via described access point, the Proxy Credential is being successfully logged onto
The mobile subscriber equipment has been previously transmitted to after the third party website;
The Proxy Credential from the mobile subscriber equipment is verified via described access point;
Retrieval is tied to the access token of received Proxy Credential;
The third party website is sent by the access token via the network to verify;
If the access token effectively if via the network from social networking website receive update access token;And
Secure attachment is established via mobile subscriber equipment described in described access point authorization.
13. further including according to the method for claim 12, being asked via the document-based supply server by the network
It asks,
From the license of the third party website access user information;And
The license of third party website described in updating location information using the mobile subscriber equipment.
14. according to the method for claim 13, further include, via the document-based supply server,
After receiving the authorization from the mobile subscriber equipment, the use is requested from the third party website via the network
Family information;And
The user information from the third party website is received and saved in response to the request.
15. according to the method for claim 13, further include, via the document-based supply server,
The third party website is sent by the location information of the mobile subscriber equipment via the network.
16. according to the method for claim 12, wherein the Proxy Credential is username and password voucher.
17. according to the method for claim 12, wherein the Proxy Credential is client certificate voucher.
18. according to the method for claim 12, wherein the Proxy Credential is dynamic wildcard.
19. according to the method for claim 12, wherein third party's voucher is social networks voucher and the third
Square website is social networking website.
20. according to the method for claim 12, wherein
It receives authorization code and at access token is via OAuthv2 (RFC-6749) agreement by the authorization exchange.
21. according to the method for claim 12, wherein the authorization is authentication code.
22. a kind of method for establishing safe wireless communication, comprising:
Via with document-based supply server, access point, database and the accessing control server of network communication,
Via described access point from mobile subscriber equipment Receiving Agent voucher, the Proxy Credential is being successfully logged onto third party's net
The mobile subscriber equipment has been sent to from the document-based supply server in advance after standing;
The Proxy Credential from the mobile subscriber equipment is verified via described access point;Via described access point authorization institute
It states mobile subscriber equipment and establishes secure attachment;
Access token and received Proxy Credential are bound;
Third party website is sent by the access token via the network to verify;And
If the access token effectively if via the network from social networking website receive update access token.
23. according to the method for claim 22, wherein the Proxy Credential is username and password voucher.
24. according to the method for claim 22, wherein the Proxy Credential is client certificate voucher.
25. according to the method for claim 22, wherein the Proxy Credential is dynamic wildcard.
26. according to the method for claim 22, wherein the Proxy Credential is by the document-based supply server in response under
It states and generates,
The document-based supply server is received from the mobile subscriber equipment via described access point and is authorized, and the authorization will have
Third party's voucher of effect is sent to the mobile use from the third party website after providing to the third party website
Family equipment.
27. according to the method for claim 22, wherein the Proxy Credential is by the document-based supply server in response under
It states and generates,
The document-based supply server is via the network by the authorization exchange from the mobile subscriber equipment at coming from
The access token of the third party website.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361885445P | 2013-10-01 | 2013-10-01 | |
US61/885,445 | 2013-10-01 | ||
PCT/US2014/058409 WO2015050892A1 (en) | 2013-10-01 | 2014-09-30 | Secure network access using credentials |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105830414A CN105830414A (en) | 2016-08-03 |
CN105830414B true CN105830414B (en) | 2019-07-12 |
Family
ID=52779085
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480064804.6A Active CN105830414B (en) | 2013-10-01 | 2014-09-30 | Use the network insertion of the safety of voucher |
Country Status (5)
Country | Link |
---|---|
US (1) | US10284545B2 (en) |
EP (2) | EP3637729A1 (en) |
CN (1) | CN105830414B (en) |
TW (1) | TWI668645B (en) |
WO (1) | WO2015050892A1 (en) |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8566596B2 (en) * | 2010-08-24 | 2013-10-22 | Cisco Technology, Inc. | Pre-association mechanism to provide detailed description of wireless services |
US20150127636A1 (en) * | 2013-11-05 | 2015-05-07 | Guesterly Llc | Automated event attendee data collection and document generation apparatuses, methods and systems |
US9800581B2 (en) * | 2014-03-14 | 2017-10-24 | Cable Television Laboratories, Inc. | Automated wireless device provisioning and authentication |
US9942762B2 (en) * | 2014-03-28 | 2018-04-10 | Qualcomm Incorporated | Provisioning credentials in wireless communications |
WO2015169552A1 (en) * | 2014-05-05 | 2015-11-12 | Telefonaktiebolaget L M Ericsson (Publ) | Protecting wlcp message exchange between twag and ue |
WO2016183613A1 (en) * | 2015-05-18 | 2016-11-24 | Genius Wifi Holdings International Pty Ltd | Wifi user authentication |
US10038695B2 (en) | 2015-06-02 | 2018-07-31 | ALTR Solutions, Inc. | Remotely deauthenticating a user from a web-based application using a centralized login server |
US9866545B2 (en) | 2015-06-02 | 2018-01-09 | ALTR Solutions, Inc. | Credential-free user login to remotely executed applications |
CN106375265A (en) * | 2015-07-22 | 2017-02-01 | 中兴通讯股份有限公司 | Household gateway and communication management method and communication system thereof |
US10412160B2 (en) | 2015-08-05 | 2019-09-10 | Facebook, Inc. | Controlling a device cloud |
US10541958B2 (en) | 2015-08-05 | 2020-01-21 | Facebook, Inc. | Controlling a device cloud |
US10567479B2 (en) | 2015-08-05 | 2020-02-18 | Facebook, Inc. | Managing a device cloud |
US10348798B2 (en) | 2015-08-05 | 2019-07-09 | Facebook, Inc. | Rules engine for connected devices |
US10425392B2 (en) * | 2015-08-05 | 2019-09-24 | Facebook, Inc. | Managing a device cloud |
CN106921636B (en) * | 2015-12-28 | 2020-05-08 | 华为技术有限公司 | Identity authentication method and device |
US10104544B2 (en) * | 2016-04-05 | 2018-10-16 | Qualcomm Incorporated | LTE-level security for neutral host LTE |
CN106304073A (en) * | 2016-08-30 | 2017-01-04 | 福建富士通信息软件有限公司 | A kind of authentication management method and system of WIFI Portal |
CN106453309B (en) * | 2016-10-11 | 2020-04-17 | 北京天融信网络安全技术有限公司 | Security audit method and PC terminal |
US10498724B2 (en) * | 2016-12-22 | 2019-12-03 | Fujitsu Limited | Digital community system |
WO2018120150A1 (en) * | 2016-12-30 | 2018-07-05 | 华为技术有限公司 | Method and apparatus for connection between network entities |
US10880332B2 (en) * | 2017-04-24 | 2020-12-29 | Unisys Corporation | Enterprise security management tool |
US11038875B2 (en) | 2017-09-20 | 2021-06-15 | Mx Technologies, Inc. | Data aggregation using a limited-use code |
CN111492358B (en) * | 2017-12-22 | 2023-06-16 | 英国电讯有限公司 | Device authentication |
US10813169B2 (en) | 2018-03-22 | 2020-10-20 | GoTenna, Inc. | Mesh network deployment kit |
US10944757B2 (en) | 2018-09-19 | 2021-03-09 | Cisco Technology, Inc. | Granting wireless network access based on application authentication credentials of client devices |
US11616784B2 (en) * | 2019-07-11 | 2023-03-28 | Kyndryl, Inc. | Personal-public service set identifiers connection implemented by a WAP |
CN110719169A (en) * | 2019-11-07 | 2020-01-21 | 北京小米移动软件有限公司 | Method and device for transmitting router safety information |
CN111064708B (en) * | 2019-11-25 | 2022-05-17 | 北京秒针人工智能科技有限公司 | Authorization authentication method and device and electronic equipment |
US11234132B1 (en) * | 2020-07-23 | 2022-01-25 | Hewlett Packard Enterprise Development Lp | Autonomous device authentication for private network access |
CN112511569B (en) * | 2021-02-07 | 2021-05-11 | 杭州筋斗腾云科技有限公司 | Method and system for processing network resource access request and computer equipment |
US11204971B1 (en) * | 2021-07-08 | 2021-12-21 | metacluster lt, UAB | Token-based authentication for a proxy web scraping service |
CN114513785B (en) * | 2022-02-22 | 2023-10-20 | 新华三技术有限公司 | Terminal authentication method and device |
CN115996126B (en) * | 2022-12-02 | 2023-11-03 | 北京深盾科技股份有限公司 | Information interaction method, application device, auxiliary platform and electronic device |
CN117692255B (en) * | 2024-02-02 | 2024-04-30 | 北京首信科技股份有限公司 | Method and device for dynamically expanding AAA service and electronic equipment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012142370A3 (en) * | 2011-04-15 | 2012-12-06 | Shift4 Corporation | Method and system for enabling merchants to share tokens |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BRPI0412724A (en) | 2003-07-29 | 2006-09-26 | Thomson Licensing | controlling access to a network using redirection |
US20080217129A1 (en) * | 2007-03-06 | 2008-09-11 | Whelan Patrick J | Airport Seat |
US8738897B2 (en) * | 2007-04-25 | 2014-05-27 | Apple Inc. | Single sign-on functionality for secure communications over insecure networks |
US8403199B2 (en) * | 2009-03-24 | 2013-03-26 | Senju Metal Industry Co., Ltd. | Localized jet soldering device and partial jet soldering method |
US9066227B2 (en) * | 2009-07-17 | 2015-06-23 | Datavalet Technologies | Hotspot network access system and method |
US8630901B2 (en) * | 2009-10-09 | 2014-01-14 | Pravala Inc. | Using a first network to control access to a second network |
US9264435B2 (en) * | 2011-02-15 | 2016-02-16 | Boingo Wireless, Inc. | Apparatus and methods for access solutions to wireless and wired networks |
PL2681266T3 (en) | 2011-03-02 | 2017-05-31 | Huntsman International Llc | Flame retardant composition for thermoplastic polyurethane polymers |
KR101243713B1 (en) * | 2011-07-08 | 2013-03-13 | 이광민 | Wireless lan access point and method for accessing wireless lan |
US8495714B2 (en) * | 2011-07-20 | 2013-07-23 | Bridgewater Systems Corp. | Systems and methods for authenticating users accessing unsecured wifi access points |
US9571482B2 (en) * | 2011-07-21 | 2017-02-14 | Intel Corporation | Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device management protocol |
US8844013B2 (en) * | 2011-10-04 | 2014-09-23 | Salesforce.Com, Inc. | Providing third party authentication in an on-demand service environment |
US8667579B2 (en) * | 2011-11-29 | 2014-03-04 | Genband Us Llc | Methods, systems, and computer readable media for bridging user authentication, authorization, and access between web-based and telecom domains |
US9479488B2 (en) * | 2012-01-26 | 2016-10-25 | Facebook, Inc. | Network access based on social-networking information |
US8756668B2 (en) * | 2012-02-09 | 2014-06-17 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US9526022B2 (en) * | 2012-08-03 | 2016-12-20 | Intel Corporation | Establishing operating system and application-based routing policies in multi-mode user equipment |
US20140245411A1 (en) * | 2013-02-22 | 2014-08-28 | Nokia Corporation | Method and apparatus for providing account-less access via an account connector platform |
FR3015168A1 (en) * | 2013-12-12 | 2015-06-19 | Orange | TOKEN AUTHENTICATION METHOD |
US9794266B2 (en) * | 2014-09-05 | 2017-10-17 | Qualcomm Incorporated | Using multiple credentials for access and traffic differentiation |
-
2014
- 2014-09-30 CN CN201480064804.6A patent/CN105830414B/en active Active
- 2014-09-30 EP EP19213499.7A patent/EP3637729A1/en active Pending
- 2014-09-30 EP EP14850219.8A patent/EP3053322B1/en active Active
- 2014-09-30 WO PCT/US2014/058409 patent/WO2015050892A1/en active Application Filing
- 2014-09-30 TW TW103133967A patent/TWI668645B/en not_active IP Right Cessation
-
2016
- 2016-04-01 US US15/089,247 patent/US10284545B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012142370A3 (en) * | 2011-04-15 | 2012-12-06 | Shift4 Corporation | Method and system for enabling merchants to share tokens |
Also Published As
Publication number | Publication date |
---|---|
WO2015050892A1 (en) | 2015-04-09 |
TW201514876A (en) | 2015-04-16 |
EP3053322A4 (en) | 2017-04-05 |
EP3053322A1 (en) | 2016-08-10 |
US10284545B2 (en) | 2019-05-07 |
US20160219038A1 (en) | 2016-07-28 |
CN105830414A (en) | 2016-08-03 |
TWI668645B (en) | 2019-08-11 |
EP3637729A1 (en) | 2020-04-15 |
EP3053322B1 (en) | 2019-12-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105830414B (en) | Use the network insertion of the safety of voucher | |
CN107409137B (en) | For using application specific network insertion voucher to the device and method by guarantee connectivity of wireless network | |
CN102017572B (en) | The method logged on for providing single service, equipment and computer program | |
CN101032142B (en) | Means and methods for signal sign-on access to service network through access network | |
CN101569217B (en) | Method and arrangement for integration of different authentication infrastructures | |
US9170718B2 (en) | Systems and methods for enhanced engagement | |
US8176328B2 (en) | Authentication of access points in wireless local area networks | |
KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
KR20070032805A (en) | System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks | |
CN103220303B (en) | The login method of server and server, authenticating device | |
EP2062129A2 (en) | Systems and methods for providing network credentials | |
EP3844929B1 (en) | Non-3gpp device access to core network | |
CN101771722B (en) | System and method for WAPI terminal to access Web application site | |
KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
Maia et al. | CROSS: loCation pROof techniqueS for consumer mobile applicationS | |
JP2004213315A (en) | Authentication server, authentication system, and authentication program | |
CN101742507B (en) | System and method for accessing Web application site for WAPI terminal | |
JP2015111440A (en) | Method and apparatus for trusted authentication and log-on | |
Almuhaideb et al. | Flexible Authentication Technique for Ubiquitous Wireless Communication using Passport and Visa Tokens | |
Perković et al. | On WPA2‐Enterprise Privacy in High Education and Science | |
CN103428694A (en) | Split terminal single sign-on combined authentication method and system | |
JP2017139026A (en) | Method and apparatus for reliable authentication and logon | |
WO2023212051A1 (en) | Methods, architectures, apparatuses and systems for decentralized data control and access management | |
Sun | Mobile social network platform | |
Nawaz | Secure identification in social wireless networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190610 Address after: Georgia, USA Applicant after: Aris Enterprise Co., Ltd. Address before: American California Applicant before: Airespider Networks Inc. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |